In so-called “credential stuffing” attacks, users of the LastPass password manager are being targeted with email addresses and passwords obtained from third-party breaches.
LastPass has issued an official statement in response to concerns that some users have received blocked access emails warnings, which are typically delivered to users who log in from several devices and locations.
The email notifications caused concerns about a data breach at the LogMeIn-owned startup, which claims more than 30 million users and 85,000 business customers around the world. LastPass, however, downplayed the severity of the issue in a note credited to VP of Engineering Gabor Angyal, saying the warnings were linked to known credential-stuffing attacks.
LastPass explained “We recently investigated reports of an uptick of users receiving blocked access emails, normally sent to users who log in from different devices and locations.
Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services.
We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.”
Angyal acknowledged that LastPass sent some security alerts due to an error, but he did not go into detail about the scale of the problem or the errors that drove users to post nervous social media posts flagging the issue.
Angyal said “Our investigation has since found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered in error. As a result, we have adjusted our security alert systems and this issue has since been resolved,”
The VP of LastPass, recommended customers should create a strong Master Password and never reuse it on any other website or app. In response to the ongoing credential-stuffing attacks, Angyal advises users to immediately change their LastPass Master Passwords and setup multi-factor authentication on all accounts.